{"id":26397323,"url":"https://github.com/thalesgroup/besec","last_synced_at":"2026-02-28T15:01:16.113Z","repository":{"id":38242672,"uuid":"470121022","full_name":"ThalesGroup/besec","owner":"ThalesGroup","description":"Self-service SDLC and maturity measurement","archived":false,"fork":false,"pushed_at":"2025-09-08T08:04:47.000Z","size":3919,"stargazers_count":7,"open_issues_count":4,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-09-08T09:25:27.260Z","etag":null,"topics":["maturity-model","sdlc","secure-development"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ThalesGroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-03-15T11:04:05.000Z","updated_at":"2025-09-08T07:31:25.000Z","dependencies_parsed_at":"2023-02-17T23:46:05.411Z","dependency_job_id":"89d621b4-43bc-4b42-a523-34b6628890da","html_url":"https://github.com/ThalesGroup/besec","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/ThalesGroup/besec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fbesec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fbesec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fbesec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fbesec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ThalesGroup","download_url":"https://codeload.github.com/ThalesGroup/besec/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fbesec/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29938962,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T13:49:17.081Z","status":"ssl_error","status_checked_at":"2026-02-28T13:48:50.396Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["maturity-model","sdlc","secure-development"],"created_at":"2025-03-17T12:17:24.679Z","updated_at":"2026-02-28T15:01:16.087Z","avatar_url":"https://github.com/ThalesGroup.png","language":"TypeScript","readme":"# BeSec\n\nBeSec is a web application that helps organizations adopt a Secure Development\nLifecycle. It is used by engineering teams to learn about the security\nactivities they are expected to perform, record their current level of adoption,\nand plan next steps. It also enables security teams to track maturity over time\nacross the organization.\n\nGoals:\n\n-   Support engineering organizations with diverse product types, ways of\n    working, and levels of maturity.\n\n-   Help engineering teams prioritize adoption of security activities.\n\n-   Enable small security teams to track maturity across a large organization.\n\nTake note of these goals! This may not be the right approach for you if:\n\n-   Your engineering team doesn't fit this diverse profile, such as a company\n    working on a single product with a common culture, tools, and processes.\n\n-   You require uniform compliance with all security activities, so your SDLC is\n    not compatible with the concept of a maturity model.\n\n-   You don't need a self-service system, in which case a spreadsheet populated by\n    security engineers will do the job!\n\nIn this document:\n\n-   [Concepts](#concepts)\n-   [Use](#use)\n-   [Deploy](#deploy)\n-   [Manage](#manage)\n\n![A screenshot of a BeSec plan](./docs/screenshot.png)\n\n## Concepts\n\nThe security activities in BeSec are grouped into _Practices_. A security team\nwould typically define these, but we include a set of sample practices with the\ntool. An individual _Practice_ covers a single domain, for example static\nanalysis.\n\n_Activities_ in a practice are discrete tasks or ways of working that teams are\nexpected to adopt. Each activity is assigned to a maturity level from 1-4.\n\n_Projects_ define the scope of deployment/measurement -\nthese might cover a development team or a particular product, whatever is the\nright fit in the organization.\n\nWithin a Project are _Plans_. These represent a\npoint-in-time maturity measurement against the practices, and optionally a\nselection of prioritized activities to focus on next.\n\nA completed plan has a _maturity level_ of 0-4 calculated for each practice,\nbased on the status of the activities in that practice. A given maturity level\nis reached if all of the activities at that level and below are either met or\nare not applicable.\n\n## Use\n\nAfter deploying the application with your organization's security practices, the expected flow is:\n\n1. Perform a guided session with a team, to help identify any misunderstandings\n   of the activities and ensure a consistent measurement of maturity levels across\n   different teams.\n\n2. On a regular cadence, teams create a new plan (building on their latest\n   plan) that reflects any changes in their adoption of the practices. This is a\n   self-service activity.\n\n3. Security teams monitor metrics and publish updates to the security\n   practices.\n\n## Deploy\n\nBeSec is distributed as a\n[binary](https://github.com/ThalesGroup/besec/releases) and a\n[containerized](https://gcr.io/besec-project/besec) version of the binary. The\ntool functions as both application server and admin client CLI.\n\nBeSec depends on GCP's Cloud Firestore and Firebase Auth; if you would like to\nsupport alternative databases or authentication systems, PRs are welcome.\n\nIt can be deployed using Cloud Run - the only prerequisites are a Firestore\ndatabase (in Native mode) existing in the project and the Service Account\nassociated with the instance having access to that database.\n\nSee the [CONTRIBUTING.md](./docs/CONTRIBUTING.md) file for instructions on running\nthe server locally.\n\n### Configure\n\nConfig options can be set using any of:\n\n-   commandline flags (run `besec help` for a comprehensive listing of all options)\n-   the [`config.yaml`](./config.yaml) file. Keys have the same name as the commandline flags.\n-   environment variables, names are the same as the commandline flags, in upper case,\n    prefixed with `BESEC_`, and with dashes replaced with underscores. e.g. `BESEC_GCP_PROJECT`\n\n## Manage\n\nThere is no admin area of the website, instead admins use the `besec`\ncommandline tool to directly interact with the backend. Run `besec` to get help\non the available commands.\nAdministrators need permission to impersonate a service account - set the\nterraform `cli-admins` variable appropriately. Note that this service account\nshould _not_ have any API keys generated for it.\n\nAdministrators can manage the site by running:\n\n-   `besec users` - to view, authorize, and remove users.\n-   `besec practices` - to publish practice definitions.\n    You'll need to do this the first time you run the app and then whenever you change the definitions.\n\n### Manage Users\n\nUsers can log in using any of the identity providers configured in the config\nfile under `auth`. Currently the Google and SAML identity providers are\nsupported. PRs to add support for other [Google Identity\nPlatform](https://cloud.google.com/identity-platform/docs/concepts-authentication)\nproviders are welcome.\n\nIf the provider config has `whitelisted: true` set, the user will have access\nto the system. Otherwise, users can still log in but will not get access until\nan admin authorizes them. If alerts have been configured (`alerts` and one of\nthe `slack-webhook-*` options has been set), admins are notified when a new\nuser tries to log in but is not authorized. To authorize a user:\n\n```\n$ besec users list\nUID                           Email                    Display name  Provider          Status\n0C3usgiCJWaxikvduaSdzGRUCLt1  joe.bloggs@example.com  'Joe Bloggs'   saml.my-provider\n88Jkby6RamVqz4JGHfF19vK0Lzs1  jane.doe@example.com    'Jane Doe'     google.com        [manually authorized]\n...\n\n$ besec users authorize 0C3usgiCJWaxikvduaSdzGRUCLt1\nAuthorized Joe Bloggs\n```\n\nThe `trusted-domains` configuration entry is a convenience to users of the CLI\nto prevent accidentally adding users from untrusted domains.\n\n### Manage Practices\n\nA fresh deployment of BeSec does not include any practices - an administrator\nfirst has to publish them. We include a sample set of practices in this repo\nunder [./practices](./practices), however you will likely wish to replace them\nwith your own. See [docs/examplePractice.yaml](./docs/examplePractice.yaml) for an\nannotated sample of the format.\n\nPractices are published together as a set. When a set of practices are\npublished, a new _practices version_ is created.\n\nWhen you have updated your practice definition files, publish them to the site\nwith `besec practices publish`. This is a natural fit for a CI pipeline. The\n`besec practices check` command can be used to validate practice syntax prior\nto publishing.\n\nOnce you have published a set of practices, new plans will use the latest\nversion, but you can still view old plans and metrics that used an older\ndefinition of the practices.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthalesgroup%2Fbesec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthalesgroup%2Fbesec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthalesgroup%2Fbesec/lists"}